pyrox.dev
Merge pull request #246123 from mweinelt/matrix-appservice-syscall-filter-update
nixos/matrix-appservice-irc: update syscall filter
authored by
Martin Weinelt
and committed by
GitHub
0a5e37e1
424ed972
+4
-1
nixos/modules/services/matrix/appservice-irc.nix
+4
-1
nixos/modules/services/matrix/appservice-irc.nix
···
215
LockPersonality = true;
216
RestrictRealtime = true;
217
PrivateMounts = true;
218
-
SystemCallFilter = "~@aio @clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @setuid @swap";
219
SystemCallArchitectures = "native";
220
# AF_UNIX is required to connect to a postgres socket.
221
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
···
215
LockPersonality = true;
216
RestrictRealtime = true;
217
PrivateMounts = true;
218
+
SystemCallFilter = [
219
+
"@system-service @pkey"
220
+
"~@privileged @resources"
221
+
];
222
SystemCallArchitectures = "native";
223
# AF_UNIX is required to connect to a postgres socket.
224
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";